Snowden WikiLeaks and the future of espionage

Revelations about mass intelligence gathering by the US and its allies serve the useful purpose of highlighting the need for, and proper role of, intelligence oversight in democracies. This essay provides a conceptual overview of some of the ideal types of democratic intelligence oversight. Variations may exist in how these ideal types are implemented in practice, but the underlying rationale for intelligence oversight mechanisms remain the same.

The fundamental difference between authoritarian intelligence operations and those conducted by democracies is that the former serve the regime while the latter serve society. Intelligence agencies in democracies answer to the government of the day but are not subjects of it. Instead, they can be considered to be commonweal organisations, much like fire services: while they are responsible to government in the first instance they serve society as a whole. 

Under authoritarian regimes, intelligence agencies overlap internal and external espionage functions and answer only to centralised executive authority. In democracies, intelligence agencies separate internal and external espionage functions and are held accountable by systems of checks and balances between the three branches of government, even if their leadership is directly overseen by, or is a part of, the executive branch.

The reason democratic intelligence oversight is ideally split among the three branches of government is to avoid concentration of power in intelligence collection and to promote transparency and accountability among those who hold the critical responsibilities of safeguarding the nation's secrets, thwarting the espionage of others, and collecting sensitive information vital to the national interest.

Intelligence oversight in a democracy is part of a larger principle known as horizontal and vertical accountability. [fold]

Democracies are characterised by two dimensions of accountability. Vertical accountability refers to the accountability of decision-makers to the public. This can occur via elections, recalls, referenda, judicial review and other mechanisms. Citizens hold decision-makers in state agencies accountable through elected government. Officers of these agencies may be appointed or bureaucratically promoted, but they still serve the public interest under the scrutiny of elected public officers.

Horizontal accountability refers to the accountability of public institutions to each other. This lies at the core of the notion of separation of powers, whereby the actions of one branch can be reviewed and held to account by others. This most often means that the actions of the executive branch are subjected to review by the judiciary and legislature, and in the case of intelligence oversight, by specialised agencies working for them. These branches also have their own vertical accountability mechanisms, be it through legislative elections or judicial recall procedures.

The importance of independent specialised intelligence oversight agencies operated by the judiciary and legislature cannot be overestimated. These agencies require personnel with the technical skills and security clearances to expertly assess intelligence operations. Given that the scope of intelligence gathering has expanded exponentially in the digital age, this means specialised intelligence courts, review boards and legislative committees require professionals with working knowledge of, or career experience in, all types of intelligence collection. Only with such expertise can intelligence oversight agencies realistically assess the operations of, and resist co-optation by, the intelligence agencies they are charged with monitoring.

Intelligence oversight bodies must act independent of the executive branch and have powers of compulsion under oath when seeking information from intelligence officials. They must be non-partisan and apolitical, serving as permanent autonomous agencies of the judiciary and legislative branch, and receive dedicated funding. Appointing oversight bodies within the executive branch who depend on the intelligence community or the chief executive for resources is a fig leaf rather than a legitimate and effective oversight and accountability mechanism. If they are to fulfill their oversight roles, such bodies need institutional independence from the political leadership. Such oversight agencies do not make the rules governing intelligence agencies (something that is a matter for the legislature, subject to judicial confirmation). Rather, they ensure that the rules are adhered to in the course of intelligence operations.

An alternative to such agencies is to appoint an independent review/oversight board with permanent staff and all of the powers mentioned above. The board can be nominated by the executive but is ratified by consensus in the legislature, subject to judicial review and security vetting of nominees.

For democratic intelligence oversight to be effective, it must be prospective as well as retrospective. Prospective oversight refers to before-the-fact review of proposed intelligence collection efforts in pursuit of issuing surveillance warrants (particularly on domestic soil). Retrospective oversight refers to after-the-fact review of operational conduct in pursuit of determining the legality of intelligence operations at home and abroad. Taken together, the two forms of oversight promote before and after accountability on the part of intelligence officials.

With regard to the oversight role of the executive branch, which can often be the first point of contact when it comes to reviewing intelligence operations, the responsibility for issuing intelligence warrants ideally rests outside the office of the prime minister or president. Normally that would be the province of the attorney- or solicitor-general acting on the advice of external oversight agencies when considering requests by intelligence agencies. 

At their core, intelligence oversight systems depend on intelligence officials who act honestly and in adherence to the secrecy oaths and legal obligations incumbent upon them. That can be achieved by rigorous security vetting and regular monitoring of individuals with sensitive security clearances. The costs of doing so are justified by the benefits of keeping state secrets uncompromised.

There also needs to be institutional means through which intelligence officers can address complaints and concerns about operations they believe may be in violation of the legal charter governing intelligence operations (much like military justice systems dealing with illegal orders). With procedures and mechanisms for in-house review of intelligence operations, the job of external oversight becomes easier. 

Should those avenues not exist, then external intelligence oversight agencies must offer legal guarantees to whistleblowers which inspire confidence that complaints and concerns will be seriously considered and individual privacy and security protected. Otherwise the temptation will exist for potential whistleblowers to go outside the institutional framework and leak information to external actors.

Absent strong permanent oversight, the tendency will remain for intelligence agencies to 'push the envelope' of their institutional charter. It is natural (some might say required) of them to do so, as their commitment to service in defence of the national interest compel them to explore all means of advancing that goal absent legal prohibitions against specific operations or collection efforts.

Besides preventing abuses or arbitrary exercises of power, independent and autonomous intelligence oversight is a democratic hedge against that compulsion.

In summation, democratic intelligence oversight is a complex process, involving mutual checks and balances among multiple specialised and dedicated agencies. The system may appear cumbersome but it is the only real guarantee against the 'iron law of tyranny' that creeps into executive decision making on security matters.

The bottom line is captured by a phrase from Ronald Reagan: 'Trust, but verify.' His focus may have been different but the principle he espoused is as true for intelligence oversight in democracies as it is for foreign relations in general.

Photo by Flickr user Nick Hall.

It is little wonder that it was an Australian, Julian Assange, who set up the world's first secrecy leaking website, WikiLeaks. And it should be equally unsurprising that the world's greatest whistleblower is a US citizen, Edward Snowden.

The terms whistleblower and leaker are mistakenly used interchangeably. The difference is both large and instructive. The whistleblower makes a public stand. The leaker remains anonymous.

That US whistleblowers have the confidence to speak out has much to do with the right to free speech, enshrined in the US constitution's first amendment. In Australia there is no such right, so leaking is often the safest way to go.

When Assange created his leakers' website in Melbourne nearly 10 years ago, it was a creation of necessity. The identity of the leaker needed to remain secret for fear of retribution and in Australia there was every reason to be fearful. The Commonwealth Crimes Act (1914), which covers the release of unauthorised federal information, can lead to a seven-year jail sentence. 

Australia has introduced new government procedures in what looks like an attempt to prevent any home-grown leakers in the public service giving up government secrets. What the government appeared to be trying to do was encourage a culture of controlled whistleblowing within the public service to prevent the information from becoming public. [fold]

A public servant can now make a formal internal complaint about wrongdoing in a department and if not satisfied take the matter to the Public Service Commissioner. The new procedures stipulate that the public servant must not be penalised for raising the complaint.

Yet these safeguards only protect public servants who lodge complaints about their colleagues' conduct. Public servants cannot make complaints about actions taken or decisions made by politicians for fear of undermining the 'essential relationship of trust' between public servants and ministers. 

And herein lies the flaw of a procedure which threatens public servants with jail for releasing information to the media. The public service whistleblowing rules are simply designed to rigidly enforce the Australian Public Service Code of Conduct. They have nothing to do with whistleblowing for the public benefit. And they reinforce the control which ministers, the executive arm of government, have on information.

Allan Behm, the highly regarded former head of the Defence Department's international policy and strategy division, speaking on a panel three weeks ago at the Lowy Institute, said leakers should be prosecuted for breaking the law. Whistleblowers, on the other hand, should simply resign on a matter of principle and say nothing publicly, creating what would presumably be a unique phenomenon, the silent whistleblower.

If Andrew Wilkie had followed Behm's advice we would have known even less than we did about the deception which sucked us into the Iraq War. When Wilkie the whistleblower (an exception in Australia, where most intelligence information is revealed through leaks) walked out of the Office of National Assessments and said that Prime Minister John Howard and Foreign Minister Alexander Downer had misled the Australian people over Iraq's weapons of mass destruction program, there was no avenue available to discover who was telling the truth. Wilkie's whistleblowing was a clarion call for changes to the way the executive dominates the control of information.

Yet in Australia and the US, the result has been not more openness, but as Pentagon Papers leaker Daniel Ellsberg feared, a huge backlash and even more attempts to control information.

The Obama Administration has prosecuted more whistleblowers and leakers than all the other US governments in history. Yet the leaks and the whistleblowing have only increased. The fact that Wilkie wasn't prosecuted probably had more to do with the government trying to sell an unpopular war than any new found tolerance.

So why do the whistleblowers and leakers do it? 

Often the reasons are related to the excesses of government or the military during times of conflict. Ellsberg exposed how the US public had been misled over Vietnam; Bradley (Chelsea) Manning was appalled by the falsehoods of the Iraq War. Even Edward Snowden's revelations related to unbridled powers conferred on the National Security Agency (NSA) in the name of the so-called War on Terror.

Ellsberg escaped prison on a legal technicality; Manning is four years into a 35 year sentence; and Snowden is in exile in Moscow — all for revealing information their governments wanted to keep from the public.

Yet senior presidential aids and parliamentarians often leak information. When a senior aide to President George W Bush, Scooter Libby, broke the law to reveal the identity of CIA agent Valerie Plame to retaliate against her husband (who had written a New York Times article denouncing the reasons for the Iraq war), his sentence was later commuted by the President. In Australia, when the present Attorney-General Senator George Brandis was in opposition, he broke the bipartisan agreement not to talk about intelligence matters, confirming a report I did for Four Corners last year. Based on information from leakers, my report revealed that stolen blueprints for the new ASIO headquarters in Canberra had been traced to a computer server in China.

It was a significant change in the policy of never discussing intelligence matters and many hoped it might lead to a greater openness. But a few weeks after the Abbott Government was elected, Senator Brandis described Edward Snowden as a traitor for revealing information about the NSA's extraordinary surveillance program. It seems that the Attorney-General's comments about ASIO's troubles had been nothing more than a political act of point scoring against the Labor Government.

The argument supporting politicians leaking sensitive material is that in the end they are answerable to the people through the ballot box. But this crude form of accountability needs refining. A robust and more timely form of accountability is called for if the abuse of power by executive government isn't to lead us all into an even worse calamity than the Iraq war. 

So the battle continues, with executive government, their public servants and the intelligence agencies on one side, and whistleblowers and leakers and the more diligent sections of the media on the other. The public is sometimes lost in the middle, unable to work out who to trust. Often until it's too late. 

It's 7:15am and you're in a conference room, the same room you sit in every working morning. At the head of the table sits the head of your country's domestic security service. Pick a country, any country. Into that room walks a group of analysts and field investigators, and they lay a new problem on the table: yesterday evening, they say, a friendly security service told us it is watching an extremist who just returned from Syria and is now recruiting people to fight there. That extremist has a small network of global contacts. He emailed one of those contacts yesterday. That contact lives here. In the US. The UK. Germany. Or Australia.

I've sat at that table, so let me fast-forward and tell you what happens next. The questions fly, fast and furious. Who is this person? Whom does he know? What is his network? Where is he getting money? Where has he traveled? Does he have weapons or explosives?

Now take just a moment, and look at this list of critical questions: do you think they are appropriate questions? Sure, you say. So what's the fastest way to find this kind of information, when you think you might face a threat? Easy: digital records. And then, the hardest question: where could I look to find these kinds of people before we have a lead? How intrusive can I be in an effort to prevent this kind of thing?

Today, in the midst of the Snowden revelations, the questions we face focus too narrowly on the limits of security agencies and the data they collect and analyse. The pendulum has swung: who's running the asylum? How can our security agencies have done this? But then, sometime this year, or next year, or the year after, the pendulum will swing again, with some horrific event perpetrated by an individual who might have been identified through aggressive analysis of mountains of data. What do we say then? Let me guess: let's figure out a way to inch the pendulum back from the post-Snowden uproar. Maybe we can keep whittling away to reach the point at which security agencies represent a cultural norm in cyberspace that we find, if not comforting, at least less disturbing than what we think security agencies are doing today.

There are a few characteristics of this swinging pendulum we should be conscious of along the way. First, I can tell you, as a former senior official at both the CIA and the FBI, that your security agencies won't lead the debate. [fold]

They'll take the laws passed by their legislative bodies and direction from their elected leaders, and they'll press the limits of those laws. If they don't, and if that security agency then fails to stop an attack, they will face blistering questions from elected officials: 'Yes,' those security officials say, 'we could have done more. But we chose not to use all the authority you gave us because we unilaterally decided that they don't reflect our culture and values.' That ain't gonna happen. Security agencies respond to culture; they don't create it.

Second, the pendulum will never reach a perfect place, because the debate will never stop. Here's why: when you go to the airport, you expect that the government will search you, maybe aggressively, and you accept that intrusion as the price of security. But when you go to the supermarket, you would object to a government official searching you. Still, you know the supermarket chain is watching you via security camera and collecting lots of data about your purchasing patterns. But you wouldn't want the government to have the same access as the supermarket.

Culturally, we have set boundaries around our physical space: you can intrude sometimes but not others. Those boundaries are pretty well understood, yet they're constantly shifting. In New York City, the stop-and-frisk policy of randomly searching citizens raised an uproar in some parts of the community but not others.

In the rapid revolution that is our personal cyber space, we have only begun the cultural conversation about boundaries. If the phone company has your data, can the government acquire it? For what purpose? If you put your life on Facebook, you've purposefully made your life available to everybody, right? How about the government?

Are you nervous yet? You should be. Part of that nervousness stems from the fact that you, like everybody else, are feeling your way toward a cultural understanding of cyber limits, the same set of norms we have come to agree on, roughly, in the physical world.

So think of a few rules as you watch this debate. First, you can attack your security agencies, but they won't give you the solutions you want, because the questions are bigger. Second, you can believe that we will quickly develop a set of norms, but we won't. Cyberspace will change, and public expectations will evolve; this debate will never end. And finally, you'll never be comfortable. Because when that group at that table feels the responsibility to find the next attacker before he finds you, they have a new tool that will only grow more powerful, and they will use that tool, enabled by whatever laws politicians pass. That tool is the digital trail that you leave, in your life, every day.

Photo by Flickr user Nick Miller.

I've already had the opportunity to argue that listening in on the wife of Indonesian president Susilo Bambang Yudhoyono (and the subsequent defence of these actions) is clear evidence that our intelligence people have lost that essential quality, their sense of judgment.

I was struck by Allan Behm's argument that revising the law will fix these problems. In everyday life, the law sets the perimeters on our actions, but we all have to constantly exercise judgment above and beyond the requirements of the law. Society can't function without the extra constraints imposed by good sense. International relations are just the same.

There are other judgmental issues. Is the intelligence valuable enough to justify both the cost and the risk of being caught out? Is there a cheaper or better way of gathering the information, say through conventional diplomacy?

We need an external inquiry to establish how our intelligence community lost its judgment and what ongoing supervision will be needed to make up for its demonstrated lack of common sense.

It was a treat for me to host yesterday's panel discussion on Snowden, WikiLeaks and the Future of Espionage. It was a lively panel which engaged in sometimes passionate discussion on the ethics of leaking, the practical and moral limits of intelligence-gathering, and the implications of spying (and getting caught) for Australia's relations with the world, especially Indonesia.

I was joined by former Four Corners reporter and Julian Assange biographer Andrew Fowler, former senior defence official Allan Behm (who also served as chief of staff to Labor's Minister for Defence Materiel, Greg Combet), and Indonesia specialist Greta Nabbs-Keller, who also served in the Australian defence department.

Here on The Interpreter, we're planning to continue the discussion we started yesterday, particularly on the question of oversight of the intelligence agencies. I want to pull out two quotes from Allan Behm to launch that discussion (40:40):

There is an extraordinary complacency in Australia around intelligence collection. We make all sorts of assumptions that it's all done within the boundaries of the law. I suppose it is. The problem I have is that the law is now 13 years out of date. The most recent version of the Intelligence Services Act, it simply didn't envisage what you could do with meta-data. Nobody has asked the question, to my knowledge, and certainly nobody has told the government that there is a question to be asked.

And at 49:10:

We should have a thorough-going review of the ISA. The agencies should make it clear to the parliament what they are capable of doing. They don't have to say what they've collected, but what they're able to do...that should be open to much more extensive discussion in this country.

In coming days we'll have some follow-up posts that look at questions like the following: is public oversight of the intelligence community robust enough? Has it kept up with the rise of meta-data? Should parliament be more active? Should the Inspector General of Intelligence and Security have a wider remit?

Below, some further highlights from yesterday's discussion. [fold]

• Gretta Nabbs-Keller (7:20): Australia-Indonesia relations are in 'a cyclical downturn, but it's not a crisis in bilateral relations...I've come back from Jakarta much more upbeat about the state of bilateral relations...there are rumblings that things will mend soon and perhaps the Indonesian ambassador to Canberra may be back sooner rather than later.'
• Allan Behm: Edward Snowden 'has got the same status as the great train robber, in my view.'
• Andrew Fowler: 'At the back of all this discussion is the fear...of the mass surveillance state...Not because we have anything to hide, but because it is possible to concentrate the power into the hands of a very small group of people to control millions, billions of people.' (38.10)
• Greta Nabbs-Keller (44.20): 'We don't know what other nasty revelations are ahead of us. So I would hope the (Australian) Government is looking at a risk-management strategy, particularly with a new government in Indonesia, on how to stem the damage from future leaks.'

Finally, as I mentioned above, there were several exchanges about the ethics of leaking, and I wanted to share this one between Andrew Fowler, Allan Behm and myself at 26:50. We return to the topic at 50:20 with a question from journalist Brian Toohey:

AF: (Leaking) is very rare. They only do it when it really matters. And they should do it, and I would encourage them to do it.

SR: But of course, at the point at which they...have a fundamental moral objection, the obvious answer is to resign, right?

AF: No, I don't think so. I think the obvious answer actually is to stay inside and leak to us.

AB: I was never employed as the conscience of a government...I don't know anyone employed in that kind of role.

SR: But nor did you leave your conscience at the door when you clocked in each morning.

AB: That's completely correct. So if the govt is bent upon some action that you have moral disagreement with...then it is absolutely your entitlement to resign...you don't go and stand up on a box and start telling everybody that you have got a better or a higher moral purpose than anybody else has. I think that's the route to anarchy, actually.